Solved: Re: Need assistance with configuration to ssh into inside private host in AWS over VPN

JMJr · ‎10-23-2019

Trying to configure the FW to allow ssh from a remote vpn user to an inside private host over Mgt interface and allow traffic out Outside interface

VPN is working correctly, ssh is not working to internal host in private subnet

(traffic from the VPN subnet is allowed in sg for host 10.0.6.129: 192.168.10.0/24

VPN POOL subnet - 192.168.10.0

Mgmt Public IP - 96.127.51.x

Inside subnet - 10.0.3.0

Outside Public IP - 160.1.68.x

Object host IP - 10.0.6.129

Config as follows:

ip local pool Network-10 192.168.10.2-192.168.10.252 mask 255.255.255.0

interface GigabitEthernet0/0

description AWS Eth1 Inside interface

nameif Inside

security-level 100

ip address 10.0.3.33 255.255.255.0

!

interface GigabitEthernet0/1

description AWS Eth2 Outside interface

nameif Outside

security-level 0

ip address 15.200.26.219 255.255.255.240

!

interface Management0/0

description AWS Eth0 Management

nameif management

security-level 100

ip address dhcp setroute

object network NETWORK_OBJ_192.168.10.0_24

subnet 192.168.10.0 255.255.255.0

object network AWS-Inside_01

subnet 10.0.1.0 255.255.255.0

object network AWS-Inside_03

subnet 10.0.3.0 255.255.255.0

object service Linux_ssh

service tcp source eq ssh destination eq ssh

object service Windows_rdp

service tcp source eq 3389 destination eq 3389

object network NLB-6.14

host 10.0.6.14

object network Linux-ssh-6.129

host 10.0.6.129

object-group network AWS-Internal

description AWS Internal networks

network-object 10.0.1.0 255.255.255.0

network-object 10.0.3.0 255.255.255.0

network-object 10.0.5.0 255.255.255.0

network-object 10.0.6.0 255.255.255.0

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list SplitTunnel standard permit 10.0.4.0 255.255.255.0

access-list SplitTunnel standard permit 10.0.6.0 255.255.255.0

access-list vpn-acl extended permit ip any any log

access-list vpn-acl extended deny ip any any log

access-list management_access_in remark Allow remote VPN users access to the internal AWS network over the Network-10 subnet

access-list managament_access_in extended permit ip object-group AWS-Internal object NETWORK_OBJ_192.168.10.0_24 log

access-list PrivateHost-Inside extended permit tcp any host 96.127.51.193 eq ssh log

access-list PrivateHost-Inside extended permit icmp any4 any4

nat (Inside,management) source static AWS-Internal AWS-Internal destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup

!

object network NLB-6.14

nat (Inside,management) static 96.127.51.193

!

object network Linux-ssh-6.129

nat (Inside,management) static 96.127.51.193

!

nat (Inside,management) after-auto source dynamic any interface

access-group PrivateHost-Inside in interface management

route Inside 10.0.4.0 255.255.255.0 10.0.3.1 1

route Inside 10.0.6.0 255.255.255.0 10.0.3.1 1

0.0.0.0 0.0.0.0 [1/0] via 10.0.1.1, management

C 10.0.1.0 255.255.255.0 is directly connected, management

L 10.0.1.24 255.255.255.255 is directly connected, management

C 10.0.3.0 255.255.255.0 is directly connected, Inside

L 10.0.3.33 255.255.255.255 is directly connected, Inside

S 10.0.4.0 255.255.255.0 [1/0] via 10.0.3.1, Inside

S 10.0.6.0 255.255.255.0 [1/0] via 10.0.3.1, Inside

V 192.168.10.2 255.255.255.255

connected by VPN (advertised), management

ASAv-p1(config)# sh asp table socket

Protocol Socket State Local Address Foreign Address

SSL 186a8938 LISTEN 10.0.1.24:443 0.0.0.0:*

DTLS 186b7ea8 LISTEN 10.0.1.24:443 0.0.0.0:*

TCP 186babe8 LISTEN 10.0.1.24:22 0.0.0.0:*

SVC 2de68238 ESTAB 10.0.1.24:443 10.0.1.223:13607

TCP 660a1e58 ESTAB 10.0.1.24:22 10.0.1.216:48524

Thanks.....

Francesco Molino · ‎10-23-2019

Hi

I do see an acl SplitTunnel which i believe is given to your vpn clients but it's missing subnet 10.0.3.0.

Also you need to make sure devices in aws have the route in the rtb to join back client vpn pool.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎10-23-2019

Hi

I do see an acl SplitTunnel which i believe is given to your vpn clients but it's missing subnet 10.0.3.0.

Also you need to make sure devices in aws have the route in the rtb to join back client vpn pool.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

JMJr · ‎10-24-2019

Thanks for that observation, I'll make that change.

You mentioned the devices in AWS should have the route in the rtb to join back client vpn pool, can you explain this as all Outgoing traffic is allowed back out the IGW. Would that need to be the VPN Pool subnet or something else?

Is there any other config changes I need to make on the ASA to allow the connectivity to return back to the remote users through the tunnel ?

Thank you

Francesco Molino · ‎10-24-2019

I looked at the config quickly over my phone and didn't see any other thing missing.
If it still didn't work, can you give the output of packet tracer command. If you don't know how packet-tracer works, let me know and I'll give you the command.
For aws, machines on 10.0.3.0 subnet had csr ip as default gateway? If so no need to configure anything on the rtb.
Can you give maybe a drawing of how everything is interconnected to make sure?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

JMJr · ‎10-25-2019

Thanks for responding.

I have included an attachment of the arch setup.

For the packet tracer command, let me know if this is correct:

If so, the results are below.

-packet-tracer input management tcp 192.168.10.3 2022 96.127.x.x 22

(192.168.10.3 is IP of machine obtained from VPN pool)

(96.127.x.x is the management public IP)

ASAv-p1# packet-tracer input management tcp 192.168.10.3 2022 96.127.x.x 22

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 10.0.1.1 using egress ifc management

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: management

input-status: up

input-line-status: up

output-interface: management

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Thank you...

JMJr · ‎10-25-2019

This issue has been resolved.
The route table for the private instance in AWS needed to have a route back to the ASA inside network interface.
Thank you Francesco.

Marius Gunnerud · ‎10-25-2019

It would help to see a diagram of how this connection is happening. To me it looks like you have the VPN terminating on the management interface. You also have several NAT statement translating the inside to the managment interface, one of these statements is the after-auto dynamic NAT statement. Are there any NAT statement for the outside interface also? For VPN traffic entering the MGMT interface and also leaving the MGMT interface be sure you have the command same-security-traffic permit intra-interface configured globally.

For traffic leaving the outside interface be sure to have a dynamic NAT statment configured with source MGMT interface, destination outside translating the VPN address range to the outside interface.

--
Please remember to select a correct answer and rate helpful posts